HackDig : Dig high-quality web security articles for hacker

Developer discovered that iOS apps can read metadata revealing users’ locations and much more, a serious threat to our privacy.

The developer Felix Krause, founder of Fastlane.Tools, has discovered that iOS apps can access image metadata revealing users’ location history.

Krause published a detailed analysis on the Open Radar community, he explained that the app just needs to get permission to access the image library.

“If an app gets permission to access the image library, it will get full access to all image metadata also, including the exact location.” wrote Krause.“This is a serious privacy issue, as third party camera apps that want to just store a picture the user took, will also get full access to all photos and their locations in their image library.”

The developer explained that it is too easy to access image metadata with the following procedure:

1. Ask the user for permission to access photo library
2. If approved, get a list of all the past locations using
```objective-c
PHFetchResult *photos = [PHAsset fetchAssetsWithMediaType:PHAssetMediaTypeImage options:nil];
for (PHAsset *asset in photos) {
if ([asset location]) {
// Access the full location, speed, full picture, camera model, etc. here
}
}
```
3. Use that data to get a great understanding of what the user does

The expert also published a proof-of-concept code at GitHub, he explained it was very easy to write it.

“Does your iOS app have access to the user’s image library? Do you want to know your user’s movements over the last several years, including what cities they’ve visited, which iPhones they’ve owned and how they travel? Do you want all of that data in less a second? Then this project is for you!

The access to the image library allows the app to get the entire EXIF dataset that includes more than users’ locations.

The developer has demonstrated that is possible to access the following data:

The exact location of each asset;

The physical speed in which the picture/video was taken (how fast did the camera move);

The camera model;

The exact date + time; and

Other exif image metadata.

Such kind of data could be exploited by attackers for surveillance or fraudulent activities.

Krause suggests Apple must review the way it manages the image library permissions, for example asking a user to give explicit permission for an app to access image metadata. Another possibility is to separate out permissions for selecting a photo, and granting access to the photo library.

The proof-of-concept app, dubbed DetectLocations is available at the App Store.